Automatic merge from submit-queue (batch tested with PRs 43546, 43544)
Default to enabling legacy ABAC policy in non-test kube-up.sh environments
Fixes https://github.com/kubernetes/kubernetes/issues/43541
In 1.5, we unconditionally stomped the abac policy file if KUBE_USER was set, and unconditionally used ABAC mode pointing to that file.
In 1.6, unless the user opts out (via `ENABLE_LEGACY_ABAC=false`), we want the same legacy policy included as a fallback to RBAC.
This PR:
* defaults legacy ABAC **on** in normal deployments
* defaults legacy ABAC **on** in upgrade E2Es (ensures combination of ABAC and RBAC works properly for upgraded clusters)
* defaults legacy ABAC **off** in non-upgrade E2Es (ensures e2e tests 1.6+ run with tightened permissions, and that default RBAC roles cover the required core components)
GKE changes to drive the `ENABLE_LEGACY_ABAC` envvar were made by @cjcullen out of band
```release-note
`kube-up.sh` using the `gce` provider enables both RBAC authorization and the permissive legacy ABAC policy that makes all service accounts superusers. To opt out of the permissive ABAC policy, export the environment variable `ENABLE_LEGACY_ABAC=false` before running `cluster/kube-up.sh`.
```
Automatic merge from submit-queue
Bump CNI consumers to v0.5.1
**What this PR does / why we need it**:
- vendored CNI plugins properly handle `DEL` on missing resources
- update CNI version refs
**Which issue this PR fixes**
fixes#43488
**Release note**:
`bumps CNI to version v0.5.1 where plugins properly handle DEL on non existent resources`
Automatic merge from submit-queue
Disable Horizontal Pod Autoscaler upgrade tests
This PR disables HPA upgrade tests until they can be debugged as part of #43187.
/cc @skriss @krousey
```release-note
NONE
```
Automatic merge from submit-queue
Update flex volume 1.6 documentation.
**What this PR does / why we need it**:
Update documentation for 1.6 flex volume changes.
Automatic merge from submit-queue
Preserve API group order in discovery, prefer extensions over apps
Fixes#42392, supercedes #43543
Kubectl 1.5 still uses compiled in types in kubectl edit and apply.
Because kubectl 1.5 does not have the apps/v1beta1/deployment resource compiled in, the preferred group order must have extensions come before apps. The preference order is determined by the order that the groups are listed by the discovery service, with the first elements preferred over the last elements.
This PR:
* updates the discovery code to preserve the order groups were registered in
* updates the registration order to move the `apps` group to the end of the list (for the same result as https://github.com/kubernetes/kubernetes/issues/43543)
This has the side benefit of making all TPR API groups (regardless of group name) come after the core API groups, instead of potentially appearing earlier in discovery order
```release-note
The API server discovery document now prioritizes the `extensions` API group over the `apps` API group. This ensures certain commands in 1.5 versions of kubectl (such as `kubectl edit deployment`) continue to function against a 1.6 API.
```
Automatic merge from submit-queue
Increase delays between calling Stackdriver Logging API in e2e tests
Fix https://github.com/kubernetes/kubernetes/issues/43442
This is a temporary hack, proper solution will be implemented soon
Automatic merge from submit-queue
Check fluentd deployment befure running cluster logging e2e tests
There were changes to the way cluster logging is deployed to the cluster.
PR adds logic to the cluster logging e2e tests to check that cluster has fluentd and that there's only one fluentd instance on the node. This will verify the correctness of the deployment method.
Automatic merge from submit-queue
Fix adding disks to more than one scsi adapter. Fixes#42399
**What this PR does / why we need it**: Allows a single node to use more than 16 disks.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#42399
**Special notes for your reviewer**:
**Release note**:
```release-note
Fix adding disks to more than one scsi adapter.
```
Automatic merge from submit-queue
Add an env KUBE_ENABLE_MASTER_NOSCHEDULE_TAINT and disable it by default
This PR changed master `NoSchedule` taint to opt-in.
As is discussed with @bgrant0607 @janetkuo, `NoSchedule` master taint breaks existing user workload, we should not enable it by default.
Previously, NPD required the taint because it can only support one OS distro with a specific configuration. If master and node are using different OS distros, NPD will not work either on master or node. However, we've already fixed this in https://github.com/kubernetes/kubernetes/pull/40206, so for NPD it's fine to disable the taint.
This should work, but I'll still try it in my cluster to confirm.
@kubernetes/sig-scheduling-misc @dchen1107 @mikedanese
Automatic merge from submit-queue (batch tested with PRs 43533, 43539)
kuberuntime: don't override the pod IP for pods using host network
This fixes the issue of not passing pod IP via downward API for host network pods.
Automatic merge from submit-queue
bump Kubernetes packaged CNI to v0.5.1
Update version of packaged CNI to v0.5.1 in order as part of a fix for #43488.
Next steps compiling these versions and updating references to artifacts.
/cc @ixdy
Automatic merge from submit-queue (batch tested with PRs 43465, 43529, 43474, 43521)
Added retransmissions in service call by e2e resource consumer library.
Added retransmissions in service call by e2e resource consumer library.
Fixes#43187.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 43465, 43529, 43474, 43521)
kubelet/cni: hook network plugin Status() up to CNI network discovery
Ensure that the plugin returns NotReady status until there is a
CNI network available which can be used to set up pods.
Fixes: https://github.com/kubernetes/kubernetes/issues/43014
I think the only reason it wasn't done like this in the first place was that the dynamic "reread /etc/cni/net.d every 10s forever" was added long after the Status() hook was. What do you think?
@freehan @caseydavenport @luxas @jbeda
Automatic merge from submit-queue
Disable readyReplicas validation for Deployments
Because there is no field in 1.5, when we update to 1.6 and the
controller tries to update the Deployment, it will be denied by
validation because the pre-existing availableReplicas field is greater
than readyReplicas (normally readyReplicas should always be greater or
equal).
Fixes https://github.com/kubernetes/kubernetes/issues/43392
@kubernetes/sig-apps-bugs
Automatic merge from submit-queue (batch tested with PRs 43513, 43499)
Make kubectl replace unconditional
second attempt at https://github.com/kubernetes/kubernetes/pull/43192
rather than a retry, make the replace unconditional, which works reliably
Automatic merge from submit-queue (batch tested with PRs 43513, 43499)
Fix Cluster-Autoscaler e2e failing on some node configs
This fixes a cluster-autoscaler e2e failure on some node configs (namely if memory capacity == allocatable memory).
**Release note**:
```release-note
```
Because there is no field in 1.5, when we update to 1.6 and the
controller tries to update the Deployment, it will be denied by
validation because the pre-existing availableReplicas field is greater
than readyReplicas (normally readyReplicas should always be greater or
equal).
Automatic merge from submit-queue
Add validation for affinities and taints/tolerations annotations.
It fixes annotations validation issues for pod/node affinities and taints/tolerations annotations for 1.5 to 1.6 upgrade tests as discussed in the issue https://github.com/kubernetes/kubernetes/issues/43228 .
@davidopp @derekwaynecarr @kubernetes/sig-scheduling-pr-reviews
Automatic merge from submit-queue
update influxdb dependency to v1.1.1 and change client to v2
**What this PR does / why we need it**:
1. it updates version of influxdb libraries used by tests to v1.1.1 to match version used by grafana
2. it switches influxdb client to v2 to address the fact that [v1 is being depricated](https://github.com/influxdata/influxdb/tree/v1.1.1/client#description)
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
cc @piosz
1. [vendor/BUILD](https://github.com/KarolKraskiewicz/kubernetes/blob/master/vendor/BUILD) didn't get regenerated after executing `./hack/godep-save.sh` so I left previous version.
Not sure how to trigger regeneration of this file.
2. `tests/e2e/monitoring.go` seem to be passing without changes, even after changing version of the client.
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 43492, 43489)
Authorize PSP usage for pods without service accounts
Fixes#43459
```release-note
PodSecurityPolicy authorization is correctly enforced by the PodSecurityPolicy admission plugin.
```
Automatic merge from submit-queue (batch tested with PRs 43481, 43419, 42741, 43480)
controller: work around milliseconds skew in AddAfter
AddAfter is not requeueing precisely after the provided time and may
skew for some millieseconds. This is really important because controllers
don't relist often so a missed check because of ms difference is
essentially dropping the key. For example, in [1] the test requeues a
Deployment for a progress check after 10s[2] but the Deployment is synced
9ms earlier ending up in the controller not recognizing the Deployment as
failed thus dropping it from the queue w/o any error. The drop is fixed by
forcing the controller to resync the Deployment but we are going to resync
after the full duration.
@deads2k if you don't like this I am going to handle this on a case by case basis
[1] https://github.com/kubernetes/kubernetes/issues/39785#issuecomment-279959133
[2] c48b2cab0f/test/e2e/deployment.go (L1122)
Kubernetes Submit Queue